university of vaasa faculty of technology

Transcription

university of vaasa faculty of technology
UNIVERSITY OF VAASA
FACULTY OF TECHNOLOGY
TELECOMMUNICATIONS ENGINEERING
Arto Mäenpää
INFORMATION SECURITY FOR BYOD IN ABB
Master´s thesis for the degree of Master of Science in Technology submitted for
inspection, Vaasa, 2 September, 2013.
Supervisor
Professor Mohammed Salem Elmusrati
Instructor
Tobias Glocker
2
ACKNOWLEDGEMENT
This thesis has been made in the information security department of ABB.
Making the thesis has been quite a journey for me personally and I never would
have made it without the support of those who believed in me throughout this
whole experience. There are a lot of people who I should thank a lot for being
there for me but particularly the big thank you goes to my girlfriend Minna
who has been really supportive towards me during these hectic times as well as
for Tobias Glocker who was always there when I needed some help related to
work. I would also like to thank my parents who have helped me financially
during the time I have been studying. So big thank you to you as well!
Arto Mäenpää
3
Table of Contents
1. INTRODUCTION .......................................................................................................8
2. HISTORY OF ABB AND CURRENT LANDSCAPE ...........................................10
2.1. Corporate architecture ......................................................................................11
2.2. Information systems governance ....................................................................13
3. BYOD ..........................................................................................................................14
3.1. BYOD Concept ...................................................................................................14
3.1.1. Advantages of BYOD .................................................................................17
3.1.2. Disadvantages of BYOD ............................................................................18
3.1.3. BYOD Policy Considerations ....................................................................20
3.2. Cloud computing ...............................................................................................21
3.3. Virtual Private Network ...................................................................................24
3.3.1. VPN Tunneling ...........................................................................................25
3.3.2. VPN Data Encryption ................................................................................28
3.3.4. VPN Authentication ...................................................................................34
3.4. Security threats ..................................................................................................39
3.4.1. Software Threats .........................................................................................40
3.4.2. Risk Analysis ...............................................................................................42
3.5. Information Security and compliance ............................................................44
3.5.1. Security considerations ..............................................................................44
3.5.2. Compliance considerations .......................................................................46
4. INTERNET OPERATING SYSTEMS IN BUSINESS WORLD ...........................49
4.1. Windows (PC) ....................................................................................................50
4
4.2. Linux ....................................................................................................................51
4.3. Apple Mac OS ....................................................................................................51
4.4. Windows Phone 8 ..............................................................................................52
4.5. Android ...............................................................................................................52
4.6. Apple iOS ............................................................................................................53
5. BYOD SECURITY SOLUTION FOR ABB .............................................................54
6. CONCLUSION .........................................................................................................55
REFERENCES ...............................................................................................................58
5
ABBREVIATIONS
3DES
Triple DES
AES
Advanced Encryption Standard
ARM
Advanced Risk Machines
BIOS
Basic Input Output System
BYOD
Bring Your Own Device
CMOS
Complementary Metal Oxide Semiconductor
CPU
Central Processing Unit
DES
Data Encryption Standard
FTP
File Transfer Protocol
HLR
Home Location Register
IETF
Internet Engineering Task Force
IN
Intelligent Network
IOS
Internet Operating System
ISP
Internet Service Provider
OSI-model
Open Systems Interconnection Reference Model
OTP
One-Time Password
PPP
Point-to-Point Protocol
PPTP
Point-to-Point Tunneling Protocol
SAEM
Security Attribute Evaluation Method
SSH
Secure Shell
6
USB
Universal Serial Bus
UWYT
Use What You Are Told
VPN
Virtual Private Network
WAN
Wide Area Network
WLAN
Wireless Local Area Network
7
UNIVERSITY OF VAASA
Faculty of technology
Author:
Arto Mäenpää
Topic of the Thesis:
Information Security for BYOD in ABB
Supervisor:
Mohammed Elmusrati
Instructor:
Tobias Glocker
Degree:
Masters of Science in Technology
Degree Programme:
Degree Programme in Telecommunications
Engineering
Major of Subject:
Telecommunications Engineering
Year of Entering the University: 2005
Year of Completing the Thesis: 2013
Pages: 98
ABSTRACT
BYOD (Bring Your Own Device) is the future policy in companies that is going
to replace the old UWYT (Use What You Are Told) way of thinking. This new
policy has a lot of issues both security wisely and policy wisely that needs to get
solved before we can fully implement this policy into larger companies. Thanks
to large interest in the subject a lot of companies have already come up with
solutions to this issue and started to use BYOD policy within their companies.
The main target of this Master´s Thesis “Information Security for BYOD in
ABB” was to create a working information security system for future BYOD
policy use in ABB. For the Thesis we used six different test users with different
portable devices and statuses and tried to create a policy that fits well with their
job and fulfills the security requirements of ABB. We also discuss a little about
cloud computing and how it is good to be included into the final solution for
the BYOD security plan.
KEYWORDS: BYOD, Information Security, ABB, Security Planning
8
1. INTRODUCTION
In the consumerization of IT, bring your own device (BYOD) is a phrase that
has become widely adopted to refer to employees who bring their own
computing devices such as laptops and smartphones into their working place
and use them to access the corporate network and corporate data. Today
employees expect to use personal smartphones and mobile devices at work and
a lot of companies have started to implement BYOD security policy within their
companies. For example the IT may require that the mobile devices are
configured with passwords, only certain applications are allowed and that the
data on the device must be encrypted.
The main goal of this thesis is to develop an information security plan for
BYOD use in ABB for the information security department. Being the leading
company in power and automation technology ABB invests a lot of money into
research and development. Because for example in the graphics area Apple
products have become more and more popular among the employees it would
be good for ABB to also allow the development workers to bring their own
iMac laptops with them into their working place. IMac´s processor is more
efficient and it runs and compiles the graphics more efficiently. That is why it
has become more and more popular among the designing people (see Figure 1).
If the employees get allowed to use their own devices at work it is vital for ABB
to come up with a secure plan how to protect the corporate network from
threats and attacks as well as creating a policy for the mobile devices that is
legal and secure here in Finland.
9
Figure 1. Employee using iPad for designing (Niharika 2012: 5).
The thesis consists of six chapters where the first chapter contains the
introduction to the thesis. In the second chapter the company structure and the
history of ABB are explained. Chapters three and four are theoretical parts of
bring your own device (BYOD) sharing some information about the whole
concept and its advantages and disadvantages. It also contains important
information that what needs to be taken into consideration while creating a safe
BYOD solution and policy for ABB. In the fifth chapter there is a BYOD solution
which contains both policy solution, solution model for the different internet
operating systems as well as interviews from the employees of ABB about their
pilot BYOD devices. The conclusion part can be found in the chapter six with
future suggestion for ABB about the whole concept.
10
2. HISTORY OF ABB AND CURRENT LANDSCAPE
ABB is a global leader in power and automation technologies. It is a
multinational corporation which has its headquarters based in Zurich,
Switzerland. The company operates in approximately 100 countries and has
over 145,000 employees (June 2012). ABB´s current form was created in 1988 but
it´s history spans over 120 years. It´s business is comprised of five divisions that
are organized in relation to the customers and industries they serve. The
success of the company has been driven particularly by a strong focus on
research and development. The company has seven research centres around the
world and it has a long track record of innovations. Many of the modern society
inventions from high-voltage DC power transmission to the revolutionary
approach to ship propulsion were developed by ABB. Today ABB is the largest
provider of generators to the wind industry and the largest supplier of power
grids worldwide. In Figure 2 a data centre in ABB Sweden is represented. (ABB
Intranet 2013.)
Figure 2. ABB data center in Västerås, Sweden (ABB 2012).
11
2.1. Corporate architecture
The corporate architecture of ABB consists of five different divisions; Power
Products, Power Systems, Discrete Automation and Motion, Low Voltage
Products and Process Automation. The Power Products division is the largest
one with over 36 000 employees and it consists of three business units: High
Voltage
Products
(PPHV),
Medium
Voltage
Products
(PPMV)
and
Transformers (PPTR).
The second largest division is Low Voltage Products which has about 31 000
employees. The main business units in Low Voltage Products are Breakers and
Switches (LPBS), Control Products (LPCP), Enclosures & DIN-Rail Products
(LPED), LV Systems (LPLS), Thomas & Betts (LPCW) and Wiring Accessories
(LPWA).
Discrete Automation is the third largest division in ABB with over 29 000
employees. It consists of four business units including Drives and Controls
(DMDR), Motors and Generators (DMMG), Power Conversion (DMPC) and
Robotics (DMRO).
Process Automation has about 28 000 employees and it is almost equally as big
as Discrete Automation division.
It contains nine different business unites
including Control Technologies (PACT), Full Service (PAFS), Measurement
Products (PAMP), Marine & Cranes (PAMA), Mining (PAM), Oil, Gas and
12
Petrochemical (PAOG), Paper, Metals & Cement (PAPM), Service (PASV) as
well as Turbocharging (PATU).
The smallest division with over 20 000 employees is the Power Systems. It
contains four business units Grid Systems (PSGS), Network Management
(PSNM), Power Generation (PSPG) and Substations (PSSS). For Power Systems
the key deliverables are AC and DC power transmission grid systems for
traditional and renewable energy integration, network management and
systems, turnkey substations (including substation automation) and power
systems services. Figure 3 represents the most important innovations ABB has
been involved with. (ABB Intranet 2013.)
Figure 3. Some of the most important inventions done by ABB worldwide (ABB group
presentation 2013: 11).
13
2.2. Information systems governance
This chapter of the thesis contains confidential information about the structure of
information security in ABB and it is thus removed.
14
3. BYOD
Chapter three consists of BYOD. In first section the BYOD concept is described
and compared to the old UWYT (Use What You Are Told) policy. After going
through the differences between the two concepts the main advantages and
disadvantages of BYOD are described. On the last section of the chapter the
BYOD privacy considerations are briefly described.
3.1. BYOD Concept
Figure 4. Different BYOD devices (Jain 2012).
BYOD (Bring Your Own Device) (also referred to as Bring your own technology
(BYOT), Bring your own phone (BYOP) and Bring your own PC (BYOPC)) is a
recent trend that has been observed in many companies where the company
employees bring their personally-owned mobile devices, iPad’s or laptops to
15
their workplace to access corporate resources such as email, databases, file
servers as well as their own personal data. The policy was first discovered in
2009 by Compared to the old way of thinking UWYT (Use What You Are Told).
It is a more flexible concept and gives the employee opportunity to choose the
device what fits best for his job. Using personal devices (see Figure 4) at work is
beneficial for the companies because it gives the employee’s freedom to choose
the device that fits best for their needs and it increases productivity and
flexibility within the company. Even though BYOD has been considered
beneficial for the company because it raises the happiness and productiveness
of the employee, it´s policy contains some data security risks. In Figure 5 can be
seen the main differences between the BYOD and UWYT – concepts from the
employee perspective. BYOD is much more flexible concept but it also requires
a higher technical ability from the employee than UWYT. It requires more
training for the employee and also a clear policy what the employee is allowed
to do with the device and what not. In UWYT the information security is
“tightly coupled” within the company and there is a control of all layers of
architecture. The BYOD policy depends what kind of agreement the employee
and the employer have made about the applications, devices and security
issues. The devices in UWYT – companies are always centrally supported by
antivirus and data protection but in BYOD the data protection is divided into
internal protection for the data and external protection for the endpoint user.
(Burt 2011: 1.)
The information and data flow oversight in BYOD is much less controllable
than in UWYT where everything what is done with the company´s own device
can be controlled. In BYOD the concept allows the employee to install their own
16
software to the computer and because of that also the data leakage is more
likely to happen in BYOD compared to UWYT. There is also a big question
about the data and ownership of the device. The biggest question from the
bringing your own device is if it is owned by the employee or if it is owned by
the company? This is an important question because it must be clarified if the
company is responsible for buying a new one to the employee and allowed to
wipeout the stolen computer or if the employee just buys a new one and hopes
that the data from the stolen computer won´t end in wrong hands? (Burt 2011:
1.)
Figure 5. Differences of UWYT - employee and BYOD - employee (Niharika 2012: 2).
17
Cisco System´s annual Visual Networking Index Forecast predicted in June
2011 that there will be over 15 billion network-connected devices including
smartphones, notebooks, tablets and other smart machines in 2015. (Jeffrey
2011: 1.) The usage of personal PC, smartphone and tablet in business
applications has increased by 10% between 2010 to 2011. This clearly shows that
the demand for BYOD in larger companies is coming even higher in the future
because the network-connected devices are becoming more and more common
within the employees. In the following two sections the advantages and
disavantages of BYOD are discussed more briefly. (Burt 2011: 1.)
3.1.1. Advantages of BYOD
There are several advantages and disadvantages of BYOD policy which will be
discussed in the next two chapters. The biggest advantage in BYOD compared
to UWYT policy is that the employees are much happier, productive and
collaborative when they can bring their own devices to work. According to a
survey made by iPass of 1,100 mobile workers, it was figured out that the
employees who used mobile devices for both work and personal issues worked
240 hours more per year than those who don´t have their own mobile working
devices. BYOD also reduces the costs in maintenance because employees will
have to take care of the hardware and software by themselves instead of some
company employee handling them for all. In larger organizations such as ABB
it is also quite impossible to keep the hardware and software always up-to-date
but with BYOD the employee himself can update it fast in order to decrease the
security threats. (Niharika 2012: 4.)
18
BYOD can also be seen as a competitive advantage over other companies. It
attracts best employees because they know that within the BYOD company they
can have flexible working hours and they can also work at home after the
working hours if necessary. This of course increases the engagement of the
employees to work in after hours and it is always beneficial for the company.
BYOD can be seen more as a business decision than an IT decision. By
embracing BYOD the organization gets benefits from having a more productive
and collaborative end user environment, the ability to retain and hire highly
talented people for end users and give them more flexibility. (Niharika 2012: 4.)
3.1.2. Disadvantages of BYOD
Even though BYOD has been considered as a positive policy for the companies
it also has a lot of disadvantages as well. When an employee attaches his
personal smartphone or tablet to an organizational network or machine, it
makes sense to worry about the overall security. When the external devices are
attached, malware could immediately migrate from the personal device to the
company´s machines and over corporate network. Also when the employee is
allowed to access the corporate network it is likely that the sensitive data will
also end into the employees own personally used device. This data could
include for example customer information or company information that should
be kept private. When that kind of information is carried away from the
company on a daily basis, bad things can happen especially if the device is
stolen or lost. (Miller, Voas & Hurlburt 2012: 2.)
19
When laptops became more common people were as afraid what will happen as
they are now with BYOD. They are larger than smartphones with higher
memory capacity so when a laptop disappears it is more likely to be noticed.
Another big and less physical aspect is that when the company is using its own
laptops and devices, it usually enforced its own policies to those machines
requiring passwords and encrypted the sensitive data. Usually the devices are
this time owned by the employee and it makes it harder for the company to
enforce their own policy into the devices which they actually don´t even own. If
the device is owned by the company it would become quite expensive for the
company because then they would have to buy for the employees all the
devices they think they need in their personal and work use. This is a key factor
that needs to be understood completely before applying the BYOD policy in the
company. (Miller, Voas & Hurlburt 2012: 2.)
The employees using BYOD need to be more experienced than the employees
working with the UWYT devices. They need to be well aware about the risks
that can occur when they for example install an application that is used for
personal purposes only. To keep the employees updated about the latest threats
they need to be trained more and it will cost money for the company. (Miller,
Voas & Hurlburt 2012: 2.)
For the company another thing to be worry about, is the lack of uniformity and
compatibility issues. Some applications and tools may not be uniform on all
devices and it can result in incompatibility when for example trying to connect
20
to the corporate network or access a word file created by another employee who
has purchased a newer version. (Priyadarshi 2013.)
Depending on the solution whether the employee saves the company´s data
while working to a cloud or directly to the corporate network can also be a risk
factor for the company. If the data is stored into cloud the cloud needs to be
partitioned and protected so that the employee can´t access other partitions in
the cloud or a third party gets access to the company´s sensitive data. The
employee also needs to secure the Internet connection because the company
isn´t securing it for them. (Miller, Voas & Hurlburt 2012: 3.)
3.1.3. BYOD Policy Considerations
Even though the security seems to be the major concern when companies and
people are discussing about BYOD and BYOT, the issue of privacy seems
overlooked and potentially more important. The policy in BYOD must follow
both the company policies as well as the national policies, so the companies’
aren´t allowed monitoring every move the employee does in his free time.
Mobile devices and laptops can contain a lot of data that the employee wants to
maintain private and if the laptop also contains company data, how can the
barriers be set in such a way that it is legal? In BYOD also the organizational
control over data is blurred. When business and private data exist on the same
device it can cause a lot of problems because some applications may require
license for business use but for private use they are free. (Miller & Voas &
Hurlburt 2012: 3.)
21
3.2. Cloud computing
Figure 6. Different devices in cloud computing (Ramsey 2013).
Internet can generally be seen as a collection of clouds as you can see from the
Figure 6. This means that the cloud computing is a set of resources and services
that are offered through the Internet (Shaikh & Haider 2011: 2). Cloud
computing enables consumers to access resources online through the Internet.
The resources from the cloud can be accessed at any time and from any place
where an Internet connection is available. For creating a secure BYOD
environment cloud computing is one good option because it is very cheap to
setup and the maintenance doesn´t cost anything. It is cheaper than most of the
other options to choose from and using a private cloud for the data storage
makes the system more secure because the employee doesn´t have direct access
to the corporate network. The biggest cloud service providers are Amazon and
Google. Cloud services can be divided into three sections: SaaS (Software as a
Service), PaaS (Platform as a service) and IaaS (Infastructure as a Service). These
services and their structures will be discussed more briefly in the next sections.
(Salmio 2012: 3.)
22
Platform as a Service (PaaS) is a service model where the user uses
development tools and application development platforms over the Internet. In
the model the user basically just writes the code, uploads it to the application
development platform and runs it. The service provider offers the efficient
development and testing environment and takes care of the maintenance. User
only has to have an Internet connection and a browser to upload the software.
Most of the service providers in this area limit their development platforms so
that it works only with certain programming languages. Some examples of the
common programming languages used in cloud computing are Java and
Python. The biggest service provider in PaaS is Google´s App Engine (GAE)
which supports Java and Python as well as Google´s own programming
language Go. (Salmio 2012: 15.)
The main idea in Software as a Service (SaaS) is that the clients use the service
providers programs over the Internet. The services are located in the service
providers servers so that the users using the services don’t have to install any
applications into their working spaces. The users only need a working browser
(Internet Explorer, Mozilla Firefox, Opera, Google Chrome etc.) and an Internet
connection to make the SaaS work. The service providers will take care of the
maintenance, updates, help desk as well as about the information security of the
service. The main advantage in SaaS is that it is easily reachable and usually the
users only pay how much they use the service so it is also a very efficient and a
flexible solution. (Salmio 2012: 14.)
23
Infastructure as a Service (IaaS) is the third service model which offers the
users virtualized hardware as well as for example free space to store their data.
Users can install and control their own operating systems and applications into
the virtual hardware but the cloud infrastructure is controlled only by the
service provider. IaaS is a very good choice for young companies because it is
very efficient and cheap solution. It is much cheaper for the company to move
the infrastructure into the cloud instead of buying their own workstations and
servers. Usually the companies are paying from the amount of data they store
into the cloud so it is a cheap solution when they aren´t paying anything from
the free space. IaaS services are provided by for example Amazon, IBM and
Microsoft, for example. The most popular IaaS services are Dropbox, Amazon
Simple Storage Service and Amazon Elastic Compute Cloud. (Salmio 2012: 15.)
The lowest layer of the service models is IaaS because it offers the hardware
which is a condition to make the upper layers work. In the middle is PaaS
which offers a development platform to the highest level applications and the
highest level is SaaS. Before the service models came the service provider and
the servers and after the models the user using them. Figure 7 shows a service
model architecture in Cloud computing. (Salmio 2012: 15.)
Figure 7. Service model architecture in Cloud computing (Salmio 2012: 16).
24
3.3. Virtual Private Network
A virtual private network (VPN) is a private network constructed within a
public network infrastructure, such as the global Internet. A VPN provides
network-to-network or remote-user-to-network connectivity via an encrypted
tunnel through the public Internet. VPN is widely used in international
companies where the offices are far away from each other but they still have a
main office and main server for data storage. In Figure 8 you can see a basic
concept of VPN connection over Internet. (Innanen 2003: 3.)
Figure 8. Basic concept of VPN over Internet (Innanen 2003: 3).
VPN connections can be divided into three categories: trusted VPN, secure VPN
and hybrid VPN. Trusted VPN is the oldest one of the connections and its roots
are from the time where Internet started. At that time the Internet service
provider (ISP) reserved the client a line that was only reserved for that client´s
usage. These loaned lines were used as they were the clients own lines. At that
time the privacy and protection of the line was only based on the ISP´s own
words. Soon after the ISP´s started to develop a better connection and a secure
25
VPN was developed, which shares information between two line using
encryption. Hybrid VPN is a result of combining secure VPN and trusted VPN
together. Remote user VPN can be seen in the Figure 9. It is almost similar to
normal VPN connection but it has a company firewall protecting the intranet.
(Innanen 2003: 3.)
Figure 9. VPN connection for remote user (Innanen 2003: 4).
3.3.1. VPN Tunneling
The basic idea of tunnelling in VPN is that the unprotected traffic is put inside a
“tunnel” that protects it from the third party. Tunnelling requires special
software to secure the connection for both ends. The connection between the
client´s tunnelling software and tunnelling server is called tunnel. Tunnelling
means that instead of direct connect first a connection with tunnelling software
is made before the final connection to the client is established. Between the
tunnelling software there is some own protocol used that first encrypts the
26
packages and then sends them to the end user. Before sending the data into the
final destination the data is decrypted into its original form.
The tunnelling protocols are divided into either 2nd or 3rd layer protocols
depending how they work in the OSI (Open Systems Interconnection) –model.
The most common VPN protocols are IPSec (Internet Protocol Security), L2TP
(Layer 2 Tunneling Protocol) and PPTP (Point to Point Tunneling Protocol).
They will be explained briefly within the next sections. In Figure 10 a typical
VPN protocol architecture is presented. (Innanen 2003: 3.)
Figure 10. VPN protocol architecture (Aqun & Yuan & Yi & Guangun 2000: 3).
The IP Security (IPSec) protocol includes a series of standards proposed by
IETF Internet Engineering Task Force) which introduce security mechanisms
into TCP/IP network. The security protocols in IPSec include Authentication
Header (AH), Encapsulating Security Payload (ESP), Security Associations
(SAs), key management and security algorithms. The encapsulation form of
IPSec in tunnel mode is (IP(AH or ESP)(IP)))). (Aqun & Yuan & Yi & Guangun
2000: 3.)
27
Layer 2 Tunnel Protocol (L2TP) could be classified as a tunneling protocol
supporting Internet-based remote access and work on the data link layer of the
OSI/RM architecture along with Microsoft´s Point to Point Tunnel Protocol
(PPTP) and Cisco´s Layer 2 Forwarding (L2F). The form of L2TP packet can be
seen below from the Figure 11. (Aqun & Yuan & Yi & Guangun 2000: 3.)
Figure 11. Structure of L2TP packet (Innanen 2003: 7).
Point to Point Tunneling Protocol (PPTP) was originally developed by
Microsoft to its Windows NT servers. PPTP delivers PPP frames in IP-diagrams
and transfers them over the Internet. PPTP can be used for combining routers
together or by creating remote connections. In Figure 12 a basic structure of
PPTP packet is presented. (Innanen 2003: 6.)
Figure 12. PPTP packet structure (Innanen 2003: 7).
28
3.3.2. VPN Data Encryption
Before the Internet data encryption was rarely used by the public. It was used in
the military area. Today online shopping has become more popular and people
are using their own bank accounts online thus it is essential to encrypt the data
traffic. When sending data over the network it is always important to encrypt it
with some algorithm. The main idea of data encryption is to transform plaintext
into cypher text in a way that is non-readable to unauthorized parties. In VPN
there are several different encryption methods to handle the data encryption.
They are usually divided into two categories: symmetric and non-symmetric
algorithms.
In symmetric encryption the sender and the receiver share the same secret key.
The same key is used for the encryption and decryption. The longer the key
length is the more secure is the encrypted data. The usage of the same secret
key for both sender and the receiver are fast and efficient ways to send data
over the VPN. The most common symmetric algorithms are Data Encryption
Standard (DES), Triple Data Encryption Standard (3DES) and Advanced
Encryption Standard (AES). DES is the oldest encryption standard with only 64bit encryption. Because the symmetric algorithms are based on the same keys,
they can be cracked if the calculation speed of the computer is high. DES
encryption uses only 64-bits for encryption and for that reason it has mostly
been replaced with either 3DES or AES algorithms. 3DES is an advanced
algorithm from DES. It uses two or three 56-bit encryption keys to create the
algorithm so it is using either 112 or 168 bits for the data protection. AES is the
29
strongest and most popular algorithm from these three containing 128, 196 or
256 bit secret key. (Torro 2007: 26.)
In non-symmetric algorithms the sender and the receiver are using key pairs
where the other key is public and the other key is secret. The keys work in a
way that if the data is encrypted with a secret key it could be decrypted with
the public key and if the data is encrypted with the public key it could be
decrypted with the secret key. Because of the usage of two different keys it is
almost impossible to crack the algorithms within a short amount of time and
this makes the data sent over the network secure. This is also the weakness of
the system because it takes so much time for the algorithm to get the data
encrypted and decrypted. The two most commonly used non-symmetric
algorithms are RSA, ECC (Elliptic Curve Cryptography) and Diffie-Hellman.
RSA fractionises large numbers into its prime factors. It has become the most
popular non-symmetric algorithm because it is so simple to create. The formula
for creating an RSA algorithm is:
(1)
Where M is the message being encrypted, C the encrypted message and e the
public key. For decrypting the message following formula should be used:
(2)
When decrypting the message d is the secret key. The only thing that remains
the same in both encryption and decryption is n. (Torro 2007: 26.)
Most of the products and standards that use public-key cryptography for
encryption use RSA. When the computers have become more efficient and the
30
calculation power has increased, the bit length for RSA has started to increase.
This has increased the processing load on applications that use RSA. For
electronic commerce sites that conduct large numbers of secure transactions this
has already become a burden. Elliptic Curve Cryptography (ECC) which is a
relatively new mechanism has started to challenge RSA. Unlike RSA, ECC is
based on discrete logarithms which are much more difficult to challenge at
equivalent key lengths. Compared to RSA ECC appears to offer equal security
for a far smaller bit size, thereby reducing processing workload. (Stallings &
Brown 2008: 645). An elliptic curve can be defined with the following equation:
(3)
From Figure 13 can be seen an elliptic curve with the operation P + Q = R.
Figure 13. Elliptic curve showing the operation P + Q = R (Kapoor, Vivek & Singh 2008: 5).
The crucial property of an elliptic curve is that we can define a rule for adding
two points which are on the curve to obtain a third point which is also on the
31
curve. The points and the addition law form a finite Abelian group. For
addition of the two points also a zero point 0 is needed to be the point of the
curve. It can´t satisfy the elliptic curve equation because otherwise it won´t
work. The curve order is the number of distinct points on the curve including
the zero point. After having defined the additional two points it is also possible
to define the multiplication kP where k is a positive integer and P is a point as
the sum of k copies of P.
If four persons A, B, C and D agree on a (non-secret) elliptic curve and a (nonsecret) fixed curve point F. A chooses a secret random integer
secret key and publishes the curve point
which is the
as the public key. B, C and
D does the same like A. Now when we suppose that A wants to send a message
to B. One way is to simply compute
and use the result as the secret key for
a conventional symmetric block (for example DES). B can compute the same
number by calculating
because
(4)
The security of ECC is based on the assumption that it is difficult to compute K
given F and KF.
When choosing the fixed curve for ECC a finite field must first be chosen. If the
field is for example GF(p) where p is a large prime number, the term xy is
omitted, leading to the following equation:
+a
+ b, where
If the selected field is GF(
(5)
), then we include the xy term to get
32
(6)
Fields GF(
with both p < 2 and m > 1 are not considered here.
After choosing the fixed curve we choose the fixed point. For any point P on a
elliptic curve in the GF(
,
(7)
For some a and b, b > a we will have a aP = bP. This implies cP = 0 where c = b ₋
a. The least c for which this is true is called order of the point and c must divide
the order of the curve. For good security the curve and the fixed point must be
chosen in a way that the order of the fixed point F is a large prime number.
With above provisions if F is an n-bit prime then computing k from kF and F
takes roughly
operations. Equations based on elliptic curves are attractive
because they are relatively easy to perform, and extremely difficult to reverse.
Table 1 shows a key-length comparison of ECC and RSA. It shows that ECC
can create the same level of protection than RSA in smaller amount of bits.
(Kapoor, Vivek & Singh 2008: 5.)
Table 1. RSA and ECC key-length comparison (Kapoor, Vivek & Singh 2008: 6).
33
Diffie-Hellman algorithm is based on discrete logarithms. The effectiveness of
the algorithm is based on the difficulty of computing discrete logarithms. The
purpose of the algorithm is for two users to use exchanged secret key for
encrypting messages. Discrete logarithm can be described briefly in the
following way. First a primitive root of a prime number p is defined as one
whose powers generate all the integers from 1 to p-1. That is, if a is a primitive
root of the prime number p, then the numbers
,
(8)
are distinct and consist of the integers from 1 through p-1 in some permutation.
For any integer b that is less than p and a primitive root a of prime number p,
one can find a unique exponent i such that
where 0 ≤ i ≤ (p-1)
(9)
The exponent i is referred to as the discrete logarithm of b for the base a, mod p.
With this background we can define the Diffie-Hellman key exchange. To
define the Diffie-Hellman key exchange two publicly known numbers are
needed; a prime number q and an integer
that is a primitive root of q. If users
A and B wants to exchange the key first they need to generate random numbers
x and y. After A selects a random integer
< g and computes
Similarly B does the same by selecting a random integer
.
and computes
. Each side keeps the X value private and make the Y value
available publicly to the other side. User A computes the key as
and user B computes the key as
. These two
calculations will end up into the same result. As a result the two sides A and B
34
have exchanged a secret value. The security of the Diffie-Hellman key exchange
lies in the fact that it is relatively easy to calculate exponentials modulo a prime
but it is very difficult to calculate discrete logarithms. Figure 14 illustrates a
typical structure of the Diffie-Hellman algorithm. (Stallings & Brown 2008: 641642.)
Figure 14. Diffie-Hellman algorithm.
3.3.4. VPN Authentication
Authentication is a process where the sender and the receiver make sure that
both parties are what they claim to be. There are several different authentication
protocols that can be used to authenticate a VPN connection. The most easy and
unsecure solution for VPN authentication is the requirement of password and
user name.
For a more advanced and secure authentication public key
35
encryption is used. In the next sections the typical VPN authentication protocols
and tokens are presented. (Huuhka 2011: 21.)
Password Authentication Protocol (PAP) is one of the oldest password –based
authentication methods in remote access. It is based on the two-way handshake
principle. First the remote user sends a login and password to the recipient. If
the recipient types correctly the login and password, the server lets the user into
the account. If the login or password is incorrect, it closes the connection and
sends an error message. PAP authentication is weak because the data isn´t
encrypted during the handshake and this can lead to a third party attack
against the server. (Huuhka 2011: 20.)
Challenge- Handshake Authentication Protocol (CHAP) is a more advanced
and secure authentication method than PAP. It is based on three-way
handshake. In CHAP authentication while trying to connect to a server the user
gets a message from the server which asks for login and password. The user
password is protected for example with a MD5 – algorithm and combined with
a hash value before sending it back to the server. The server then processes the
hash value and if it matches the server’s values, the user is accepted to connect
to the server. CHAP is more secure than HAP because the authentication
process is fully encrypted. (Huuska 2011: 21.)
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a
little more advanced version from the traditional CHAP authentication protocol
36
and it is being used only in Windows systems. The difference between MSCHAP and CHAP is that in MS-CHAP MD 4 algorithm is used for data
encryption instead of MD 5. It also allows the user to save his password
encrypted to the server. In CHAP the saved password isn´t encrypted so there
is a possibility that someone could read it. (Huuska 2011: 21.)
Extensible Authentication Protocol (EAP) is an advanced version of the PPP
(Point-To-Point) protocol that is working on the link layer. EAP guarantees
wider support for different authentication methods such as Token-cards, singleuse passwords, public key authentication as well as digital certification usage.
There are many different versions of EAP which slightly differ from each other.
These kind of protocols are for example Lightweigth EAP (LEAP), Protected
EAP (PEAP), EAP-Transport Layer Security (EAP-TLS) and EAP- Tunneled TLS
(EAP TTLS). With LEAP authentication method you can secure wireless
connections. In this technique the user authenticates first to the authenticator
and then the authenticator identifies itself back to the user. In PEAP the
authentication
happens
with
digital
certificates
directly
through
the
authentication server and user and there is no need for a separate authenticator.
In EAP-TLS the authentication is based on user name and password. (Huuska
2011: 22.)
Another way to authenticate the users instead of using the existing protocols is
to use different kind of tokens for the authentication. There are three different
tokens based on authentication that the SecurID has to offer: hardware tokens,
software tokens and OTP (One-Time Password) On-demand tokens. These
37
three different tokens are based on authentication methods that will be
described briefly in the following three sections.
Hardware tokens offer a hacker-proof authentication which is easy to use and
user authentication is efficient. Hardware tokens are based into RSA´s
synchronizing technology which uses 128-bit AES-algorithm to create singleuse authentication code, OTP (One-Time Password).
To get logged into the SecurID´s secured system the user has to combine his
own PIN- code with the token´s generated authentication code. These two
codes combined create a OTP which is used for user identification or
authentication. If the SecurID system confirms the OTP, it allows the user to get
access into the secured material. This method is used for example when getting
money from an automated teller machine. The bank account and the PIN- code
are used to get access to the bank account. When using hardware authentication
the interaction with the computer is not needed so it doesn´t require any
software to work. Hardware tokens usually last for a lifetime so that the user
doesn´t have to change batteries or update them anyway. In Figure 15 an RSA
SecurID hardware token is presented. (Pienmunne & Paulow 2009: 33.)
Figure 15. RSA SecurID hardware token (RSA SecurID 2013).
38
The Software token (see Figure 16) was made so that the user doesn´t have to
carry a separate token hardware. The Token software is flexible and it supports
many different kinds of systems. RSA SecurID – software tokens support the
same algorithms as RSA SecurID –hardware tokens. Instead of installing the
symmetric key to hardware it is now being stored into the mobile phone or
PDA. The symmetric keys could also be installed into a smartcard or USB
device and being used together with the software tokens (Pienmunne & Paulow
2009: 33.)
Figure 16. Software token on USB stick (RSA SecurID 2013).
Like hardware tokens, OTP On-demand authentication is based on two-factor
principle. This means that the user receives an OTP and a PIN-code which is
allowed to be used once only. OTP can be delivered to the user who has
registered into the service either to mobile phone (see Figure 17) or to email. For
security reasons the laptop or mobile phone where the OTP is sent must also be
mentioned in the authentication service. (Pienmunne & Paulow 2009: 35.)
On-demand authentication makes it also possible that a certain user has access
to the company´s data for a limited time only. This can be necessary for a
company that hires a worker who does the work outside the company for a
39
certain amount of time. When the worker leaves from the company, the access
can be closed permanently. ABB uses OTP On-demand authentication for the
consults. (Pienmunne & Paulow 2009: 35.)
Figure 17. OTP On-demand authentication through mobile phone (RSA SecurID 2013).
3.4. Security threats
In literature the terms threat and attack are commonly used to mean more or
less the same thing even though there is a difference between these two terms.
Threat can be described as a potential violation of security when there is a
circumstance, capability, action or event that could breach security and cause
harm to the system. The attack for itself is an attempt to evade security services
and violate the security of the system. (Stallings 2011: 39). In UWYT there are
fewer threats than in BYOD because in BYOD the device is carried home from
work. For this reason companies have to know what kind of threats exists, how
40
dangerous they are and how they can protect their system against them. If the
portable device connected to the network is weakly protected and non-updated
the most dangerous threats that need to be avoided are the software threats
which can do a lot of harm to the company. In the following sections the four
most common software threats are explained.
3.4.1. Software Threats
There are four major security threats in BYOD that need to be avoided;
phishing, computer viruses, Trojans and buffer-overflows. If the software that
the company is using is not updated regularly there can be some serious
security threats within them. The best way to reduce the software threats to the
minimum is to update when a new version is available. Below in the next
chapters the major security threats are explained in more detail.
Phishing is an attempt where some third party people attempt to acquire data
like user names or passwords through email or through some faked WWWaddresses. Usually the addresses and pages are quite close to the original thus it
is difficult to recognize that it is the wrong website. (Umesh & Bishwa 2012: 2.)
Computer virus is a malicious computer program that can infect several
computers. There are also other types of malware such as adware and spyware
programs which are created to watch what the user does with his computer.
The difference between a true virus and a malware is that a virus can spread
41
from one computer to another (in a form of executable code) whereas malware
and adware doesn´t. Users can spread it over a network or the Internet or even
carry it with their USB, disk, CD or even DVD. (Umesh & Bishwa 2012: 1.)
A Worm is also a self-replication program which does not need another
program in order to be executed. The difference between worm and virus is the
way of replication; worms replicate over network connections while viruses
replicate on a host computer. (Karresand 2003: 1.)
Trojan horse is a program performing for the user unknown and unwanted
actions while at the same time posing as a legitimate program. Some Trojan
horses are equaled to a non-replicating virus and other times it is referred to as
a super-class to viruses and worms. Even though there is a slight difference
between a Trojan horse, worm and a typical virus.. Below in Table 2 you can
clearly see that even the anti-virus vendors (Symantec, Trend-Micro, eEye, FSecure) could not distinguish between a Trojan horse, worm or a virus.
(Karresand 2003: 1.)
Table 2. Example categorization of worms according to four anti-virus vendors.
(Karresand 2003: 2.)
42
Web bug is a script (usually a java object) which is embedded into a web page.
When you visit that particular website, it will be installed on your system. It is
usually invisible for the user so it can make some damage to the computer
without recognizing it. (Umesh & Bishwa 2012: 2.)
3.4.2. Risk Analysis
The most common response when a computer security professional tries to
secure enterprise and desktop to employee is that “I don´t have anything on my
computer a hacker would want.” That is mostly true because usually the
hacker´s aren´t interested about the data on the computer they hack. Instead
they want to use the computer for attacking other computers. For the
distributed denial-of-service (DDOS) attack the hacker needs many computers
connected to each other and one way to achieve this is to take control
someone´s home computers. For ABB it is very important to create a risk
analysis document which will include all the possible risks that BYOD can
create. Along with software threats there are also humans (employees, third
persons), hardware’s, net (firewall) and authentications that can cause a threat
to the company. These risk factors can be divided into four different groups
(hardware, human, net and authentication) and they will be explained briefly
within the next four chapters.
Hardware is always a risk to the company. Radiation is one of the risk factors
that are mostly underestimated. Graphics card and CRT (Cathode Ray Tube)
always have a small radiation that can be absorbed with special receivers.
43
Another risk factor is wiretapping of weak shielded hardware and an
uncontrolled entrance to the server and working place. Because the laptop is on
the move more than a job PC there is always a risk that a third party could
wiretap your hardware and get access to your data. It is also possible that when
someone leaves the laptop or mobile phone for a moment alone someone could
come and reset the BIOS (Basic Input Output System) settings by clearing the
CMOS (Complementary Metal Oxide Semiconductor) where the settings of
BIOS are stored. After that the person could get data stored to the computer by
using a Linux live CD.
The other workers as well as third party people are always a risk factor in
companies. If too many user rights are given the employees could do some
harm to the system. It is important that the employee is educated enough to
protect himself against the security threats.
The third risk factor is the net. An unprotected network is like an open door to
the company. It´s very important to have a good firewall and virus protection
to get protected against different attacks and viruses.
The fourth risk factor and one that needs to be carefully thought is the
authentication of the workers. It is necessary to use secure passwords
containing big letters, small letters and at least numbers to make them secure
enough against hackers. The company should also monitor and limit the user
44
rights so that the user isn´t allowed accessing another department’s information
through their software, for example.
3.5. Information Security and compliance
When a company becomes global and operates in many different countries the
harder it becomes for it to maintain a high security level within its system. ABB
has its own information security department locally which follows its users and
the programs they are using. There are many different security issues that need
to be taken into consideration while creating a strong security system for BYOD
and they are discussed in the next section.
3.5.1. Security considerations
The users who accept the BYOD policy in ABB can work at home or at work
with their devices. Thus it is really important for the employees to have a secure
connection when they connect to the corporate network. The network
connection must be handled through a secure VPN (Virtual Private Network)
which makes the connection more secure. ABB uses IPSec protocol for the VPN
authentication.
The application control is also important for the company perspective because if
the employee installs software that is harmful for the system it can cause
45
serious troubles. Because of the Finnish national laws it is not allowed to check
what programs the employees are using, a BYOD agreement must be made.
This agreement contains a list of programs that are allowed to be installed.
Since several different IOS (Android, Windows 8 RT and Mac OS) are used
among the BYOD test users unique solutions must be made for each operating
system when it comes to VPN and security solutions.
To protect the IOS
against viruses and malwares good and regularly updated antivirus software is
needed. For Windows RT operating system it isn´t possible to install any
software outside from the Windows store and that demands the Windows RT
user to use the antivirus software that Windows provides. Because in the past
ABB has used only Windows –based computers and laptops, most of the
contracts related to security issues have been made for Windows. That is why
for example in Mac OS ABB had free hands to choose what antivirus software is
most suitable and best for the company. Because the BYOD is still in pilot mode
it was decided to use ClamXav which is free antivirus software under the GNU
open source software license. For Android devices ABB also had free hands, so
after going through several options from the Android market, Android
Antivirus was chosen for the pilot BYOD test.
USB drives, MP3 players, CDs, DVDs and other removable media can pose a
real threat to any device (see Figure 18). For example network worms can take
advantage of USB and other types of removable drives and even PDF files can
hide a web-based attack inside them. Application control can be used to block
attacks from removable drives and even preventing some programs to write
46
code to a machine (Symantec 2013). For device control Symantec, Check Point
and McAfee are the most well-known service providers world-wide. In ABB the
device control has been handled by McAfee for Windows operating systems but
because of the time limitations for the thesis it was decided that it won´t be
installed on Android, Mac OS or Windows RT at all. For Windows RT it would
have been impossible to install because it can’t be found in the app store.
Figure 18. List of devices controlled by device controller (McAfee 2012).
3.5.2. Compliance considerations
There are several different important compliance considerations that need to be
solved before the employee can start using the BYOD device. First and foremost
the end user agreement must be made among the employee and ABB and it
must contain the list of rights the employee has and list of rights what the
employer has. Before signing the user agreement the employee needs to go
47
through it and must understand the details of the agreement fully before
signing it. For example if the laptop containing ABB data gets stolen or lost,
ABB must have the permission to wipe-out the computer after certain amount
of time if the computer can´t be found. The employee must know the risks of
saving data on the computer without having a back-up. Another important
issue related to the user rights are the programs that can be installed on the
device. Apple and Windows RT have handled it well because it is controlling its
own application store but for Android the store isn´t controlled so well so the
employee must be aware of the risks that might come when he downloads the
software online. Because the device is owned by the employee he is allowed to
install the software he needs from the store but must be aware of the risks of an
infected application.
A further issue is the licensing that plays an essential role when a device is
owned by both company and the employee. There is several different software
that are free to download for private usage but for business you have to buy a
license. The question in this case is, if the software requires a license or not? At
the moment it is not regulated by the law.
Security awareness is also one of the key elements in creating a successful
BYOD system. Within the company the software is automatically updated and
maintained by the IT support but in BYOD the employee itself must be aware of
the recent updates and risks about the recent trends in internet security. The
company is responsible of giving the employees enough information about the
risks as well as training them to become more well-known about the security of
48
their working devices. The software must be updated automatically so that the
computer always has the latest and most secure versions of the software.
49
4. INTERNET OPERATING SYSTEMS IN BUSINESS WORLD
There are several different IOS (Internet Operating Systems) that are used in the
business world today. Ten years ago most of the companies used only
Windows as their main Internet operating system. The rapid growth of mobility
has brought a lot of different other operating systems. These can be divided into
three categories. To the first category belong operating systems, that the mobile
company has created themselves. Examples for this category are Apple iOS,
RIM´s BlackBerry OS and HP´s WebOS which was previously known as
PalmOS.
To the second category belong operating systems where a developer has
developed an operating system that can be installed in different mobile phones,
but the OS developer doesn´t manufacture phones themselves. The best
example for this category is Windows 7 which can be used in any mobile phone
but the company isn´t manufacturing any mobile phones.
In the third category there are operating systems which are based on open
source codes. Examples for this group are Meego, Android and Symbian.
Anyone can use these open source operating systems in their own devices and
edit them the way they want to. (Avikainen 2012: 21.)
50
4.1. Windows (PC)
Windows is the most commonly used operating system in today’s world.
According to W3schools (2013) the operating systems from the Windows family
are installed on 82,5% of the computers in 2013. 55% of the devices today are
using Windows 7 which means that Windows 7 is the most common operating
system today. (Avikainen 2012: 21.)
The latest version of Windows is 8 which was launched on October 26th, 2012.
At the same time when Microsoft launched Windows 8 it also launched their
first operating system for tablets, Windows RT. The Windows RT user interface
(UI) is same than in Windows 8 and they also share some same code, but they
are still distinct operating systems designed for different classes of devices and
run on different processors. Windows 8 runs on Intel´s x86/64 processor
architecture, Windows RT only works on devices with ARM (Advanced RISC
Machines) -licensed CPUs (Central Processing Unit). While Windows RT lacks
certain features and compatibility in comparison to Windows 8, Microsoft
aimed for Windows RT devices to take advantage of the ARM platform's power
efficiency (allowing for longer battery life) and to support system-on-chips
which allow a thinner hardware designs. Microsoft also focuses on the new
Windows Store platform for touch-optimized apps to provide a reliable OS
which is easy to use for their customers. The only desktop applications officially
supported by Windows RT are those that come with the operating system itself
(such as File Explorer, Internet Explorer, and the Office RT programs). Only
Windows Store applications (which use WinRT, a new cross-platform
application architecture that is processor instruction set independent and
51
supports both Windows 8 and RT) can be installed by users on Windows RT
devices (Keizer 2012: 1). This causes problems for many businesses because
they use certain software for certain services like emails (Lotus Notes in ABB
Finland).
4.2. Linux
Linux is an operating system started by a Finn called Linus Torvalds in 1991.
Linux is a free operating system and the source code to it can be found online. It
was an early alternative to other UNIX workstations offered by Sun
Microsystems and IBM. Today Linux is a full-featured UNIX system that runs
on many platforms including Intel Pentium and Itanium as well as in
Motorola/IBM PowerPC. (Stallings 2008: 94.)
4.3. Apple Mac OS
Apple Mac OS is a graphical user interface –based operating system that has
been developed by Apple Inc. for their Macintosh computers. The first version
of the Mac operating system was introduced in 1984 with the original
Macintosh. The latest stable version of this operating system is 10.8.2 (Mountain
Lion) which was released in November 2012.
52
4.4. Windows Phone 8
Windows Phone 8 is the latest mobile operating system in windows mobile
phones. It has been available to consumers since the 29th of October 2012. It is
programmed in C / C++ and runs with devices like Nokia Lumia 920 –mobile
phone. User interface of Windows Phone 8 can be seen from Figure 19.
Figure 19. Windows Phone 8 user interface (Jain 2012).
4.5. Android
Android is a quite new operating system for mobile devices. Google bought
Android Inc. in 2005 and started developing their own Android platform.
Android is a Linux-based operating system which is designed primarily for
53
touchscreen mobile devices such as smartphones and tablet computers. It is the
world´s most used smartphone platform (Avikainen 2012: 21). From Table 3
can be seen the different versions of Android and their current distribution
among Android users. (Android Developers 2013.)
Table 3. Distribution and different versions of Android (Android Developers 2013).
4.6. Apple iOS
Apple is known for having its source code private and it sometimes makes
things more complicated when connecting Apple device to some other system.
The first version of iOS was released in 2007 for iPhone and iPod Touch. It has
been developed for the touch screens and it differs a bit from the Mac OS X. The
latest version of Apple iOS is 6 which was released in September 2012 (Costello
2012).
54
5. BYOD SECURITY SOLUTION FOR ABB
This chapter of the thesis contains confidential information about the BYOD
security solution for ABB as well as personal interviews about the ABB BYOD pilot.
It is removed from the public and remains secret.
55
6. CONCLUSION
Bring Your Own Device (BYOD) is a technology that is here to stay. When
allowing employees to use BYOD the companies are opening a new chapter for
security managers and administrators. The security governance framework and
corporate security policies will need to be redefined and a great deal of effort
will be required to make each policy efficiently operational and streamlined.
Even more and more companies have started to allow their employees to bring
own devices to working place and use them for accessing the corporate network
and personal work-related software. There are several different Internet
operating systems, with different strengths and weaknesses which made the
creation of BYOD complicated for ABB. The company has a really strict security
policy which didn´t allow to use one solution for all the operating systems but
instead an own solution for each system was required. Since the IT departments
are located in different countries it took quite much time before all the devices
had access to a corporate network and before all the software required for
security was installed.
Even though BYOD is already in use in different companies there is still a lot of
future work and questions that need to get answers before it can be fully
applied to everywhere. For the future work the main questions about creating a
successful BYOD policy to ABB is to find answers to software license related
issues which haven´t been solved in any companies in Finland so far. Is it
allowed for the employees to install personal software to their own working
device without buying the business license to it? Who can tell if the person uses
the software for business usage or personal usage? It is a question that most
56
likely first needs a lawsuit and solution before it can be fully answered. Another
question that needs to be considered is that what happens to the company data
when an employee suddenly decides to change a job and leave the company?
Will the computer be wiped out of data or will the employee just remove all the
company software?
In this pilot phase only four people got the BYOD device for test use and it took
a lot of time to create a system that is secure for the employees. The devices and
settings were set up by professionals so a big question that will remain is that
will the employees be able to set up their own devices by themselves or do they
need help setting them up? If the BYOD policy will be applied to a larger
amount of people the set up should be so easy that almost everyone could do it
successfully when following the instructions step by step. When connecting to
the corporate network the BYOD device must be tested somehow to make sure
that it contains all the latest required software updates and patches to make the
connection as secure as possible. A good suggestion to this question and maybe
a future work would be to create a test system that tests the BYOD device´s
installed software and makes sure before allowing the connection that the
device is up to date.
For the future work it would be good to do a system and software scan for the
BYOD device before it is allowed to connect to the corporate network or service
cloud to make sure that the software is up to date. The BYOD device would also
need to have a strong passcode for login and full-disk encryption for disk,
removable media and cloud storage to keep the system as secure as possible.
57
For BYOD in ABB the best and most secure way to operate would be a wellprotected service cloud which would be compatible with different operating
systems. This would make the BYOD more secure in ABB when everything
goes through a secure service cloud and the device connecting to the cloud is
scanned before it connects to it. For mobile phones a Mobile device
management (MDM) would be vital to delete the sensitive company data if the
device gets stolen or lost. Also for both laptops and mobile phones a proper
application control would be essential to make sure there isn´t any suspicious
software running while connecting to the company´s service cloud.
There is demand for BYOD in ABB like there is in many other big companies
around the world but only the future will show how big the BYOD trend will
eventually become and will it replace the old way of thinking permanently.
58
REFERENCES
ABB Group presentation February 2013. ABB Intranet 2013.
Android Developers 2013 [online]. Available from the Internet: <URL:
http://developer.android.com/about/dashboards/index.html>. Read
5.3.2013
Aqun, Zhao, Yuan Yuan, Ji Yi & Guangun Gu. (2000). Research on tunneling
techniques in virtual private networks. Digital Object Identifier:
10.1109/ICCT.2000.889294
Avikainen, Sari (2012). Muuttuvan laitekannan hallinta – BYOD ja tietotekniikan
kuluttajistuminen
media-alan
yrityksessä.
Opinnäytetyö.
Haaga-Helia
University of Applied Sciences.
Butler, Shawn A (2002). Security Attribute Evaluation Method: A Cost-Benefit
Approach
[online].
Available
from
the
Internet:
<URL:
http://www.cs.cmu.edu/~shawnb/SAEM-ICSE2002.pdf>.
Butler, Shawn A (2003). Security Attribute Evaluation Method [online].
Available
from
the
Internet:
<URL:
http://reports-
archive.adm.cs.cmu.edu/anon/anon/usr0/ftp/usr/ftp/2003/CMU-CS-03132.pdf>.
59
Burt, Jeffrey (2011). BYOD Trend Pressures Corporate Networks [online].
Available from the Internet: <URL: http://winfwiki.wi-fom.de/images
/2/2e/65469365.pdf/>.
Costello, Sam (2012). iPhone Firmware & iOS History [online]. Available from
the
Internet:
<URL:
http://ipod.about.com/od/iphonesoftwareterms/a/
firmw_history.htm/ >.
Egan, Matt (2013). Do Apple Macs need antivirus? OS X security explained
[online]. Available from the Internet: <URL: http://www.pcadvisor.co.uk/
features/security/3418367/do-apple-macs-need-antivirus-os-x-securityexplained >.
Ellis, L. , Saret, J. & Weed, P. (2012). BYOD: From company-issued to employeeowned devices. Telecom, Media & High Tech Extranet 2013.
Huuhka, Riku (2011). Turvallisen Etäyhteyden Luominen. [online]. Available
from
the
Internet:
<URL:
http://publications.theseus.fi/bitstream/
handle/10024/24740/Huuhka_Riku.pdf?sequence=1>. Opinnäytetyö. Oulu
University of Applied Sciences.
Innanen, Heikki (2003). VPN Virtual Private Network [online]. Available from
the Internet: <URL: http://www2.it.lut.fi/kurssit/02-03/010626000/
palautukset/seminaarit/vpn.pdf/ >.
ISF Grey Chapter Meeting ZRH (2012). Bring Your Own Device – A Challenge
And An Opportunity.
60
Jain, Pragati Chaplot (2012). BYOD: Nuisance or Need? [online]. Available from
the Internet: <URL: http://www.maas360.com/maasters/blog/mobiledevice-management/byod-nuisance-or-need/ >.
Kapoor, Vivek, Sonny Abraham Vivek & Ramesh Singh (2008). Elliptic Curve
Cryptography. ACM Ubiquity, Volume 9, Issue 20. <URL: http://csis.bitspilani.ac.in/faculty/murali/netsec-10/seminar/refs/abhishek3.pdf/ >.
Karresand, Martin (2003). Separating Trojan Horses, Viruses, and Worms
- A Proposed Taxonomy of Software Weapons. ISBN 0-7803-78083/03/$17.00 @ 2003 IEEE
Keizer, Gregg (2012). FAQ: All about Windows RT, the OS behind a Microsoft
tablet
[online].
Available
from
the
Internet:
<URL:
http://www.
computerworld.com/s/article/9228202/FAQ_All_about_Windows_RT_the_
OS_behind_a_Microsoft_tablet/ >.
Lifehacker (2013). How to Make Your VPN Even More Secure [online].
Available from the Internet: <URL: http://lifehacker.com/5902397/how-tomake-vpns-even-more-secure/ >.
Miller, Keith, Jeffrey Voas & George Hurlburt (2012). BYOD: Security and
Privacy Considerations. 1520-9202/12/$31.00 ©2012 IEEE
Ortiz, Sixto (1997). Virtual private networks: leveraging the Internet. Digital
Object Identifier: 10.1109/2.634834.
61
Pienmunne,
Juhamatti
&
Jari
Paulow
(2009).
Kertakäyttöiset
salasanat
tietoverkoissa. Opinnäytetyö. Kymenlaakso University of Applied Sciences.
Priyadarshi, Gaurav (2013). Leveraging and Securing the Bring Your Own
Device and Technology Approach. ISACA Journal Volume 4, 2013
(Language Of Cybersecurity).
Ramsey, Matthew (2013). State Of Cloud Computing [online]. Available from
the Internet: <URL: http://www.business2community.com/tech-gadgets/
state-of-cloud-computing-0381119/ >.
Rounak, Jain (2012). First Update to Windows Phone 8 Apollo Might Be Called
Portico, Not Apollo+ [online]. Available from the Internet: <URL:
http://androsym.com/news/first-update-to-windows-phone-8-apollomight-be-called-portico-not-apollo/ >.
Salmio, Petri (2012). Pilvipalvelut. Opinnäytetyö. Turku University of Applied
Sciences.
Sanouvong, Tim (2013). BYOD – An Emerging Technology Concept [online].
Available from the Internet: <URL: http://www.blogs.oracle.com/
OracleIDM/entry/partner_blog_series_deloitte_talks />.
Shaikh, F.B. & Haider, S. (2011). Security Threats in Cloud Computing. 978-1908320-00-1/11/$26.00 ©2011 IEEE
62
Singh, Niharika (2012). B.Y.O.D. Genie Is Out Of the Bottle – “Devil Or Angel”
ISSN No: 2319-5614
Stallings, William & Lawrie, Brown (2008). Computer Security – Principles and
Practice. Pearson International Edition. Pearson Education Inc. ISBN 0-13513711-X
Stallings, William (2011). Cryptography and Network Security Principles and
Practise. Fifth Edition. Pearson Education Inc. ISBN 0-13-705-632-X
Stallings, William (2008). Operating Systems: Internals and Design Principles. Sixth
Edition. ISBN-13: 978-0-13-600632-9
Symantec (2013). Security Response [online]. Available from the Internet: <URL:
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=
adc/ >
Symantec (2013). Internet Security Threat Report 2013 [online]. Available from
the Internet: <URL: http://www.symantec.com/content/en/us/enterprise/
other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf >.
Trend Micro (2012). TrendLabs2012 Mobile Threat and Security Roundup
[online]. Available from the Internet: <URL: http://www.trendmicro.com/
cloud-content/us/pdfs/security-intelligence/reports/rpt-repeatinghistory.pdf >
63
Torro, Tuomas (2007). VPN-ratkaisujen vertailu. [online]. Available from the
Internet: <URL: http://www.doria.fi/bitstream/handle/10024/28149/stadia1192088317-3.pdf>
Insinöörityö.
Helsinki
Metropolia
University
of
Applied Sciences.
Umesh, H. & Bishwa, Pati (2012). Study Of Internet Security Threats Among
Home Users. 978-1-4673-4794-5/12/$31.00 @2012 IEEE
W3schools, 2013. OS Platform Statistics [online]. Available from the Internet:
<URL:
http://www.w3schools.com/browsers/browsers_os.asp/>
04.03.2013.
Read: